The New NIST Guidelines
Password security is an omnipresent challenge in today’s IT environment. As a managed services provider (MSP), you’re probably used to customers complaining about having to change their passwords regularly when passwords are already difficult to remember.
The good news is password requirements are beginning to become more user-friendly. In a set of new guidelines, the National Institute of Standards and Technology (NIST) established updated password best practices for increased security. NIST develops technology standards that enhance productivity—and federal agencies trusts it to promote the highest level of security. This article provides an overview of the new guidelines and how they impact MSPs and their customers.
New Requirements from NIST
Officially known as Special Publication 800-63 Revision 3, the latest NIST guidelines replace the previous 800-63-2 standard. The US government requires its agencies (including ones that deal with sensitive national security data) to follow these practices—and many organizations in the private sector would be wise to follow them as well.
The updated document offers new requirements for what makes a strong password. For instance, password length is critical to making passwords harder to crack—therefore, NIST now asks for a minimum length of eight characters for human-generated passwords and six characters for machine-generated ones. To enable greater security for more sensitive accounts, NIST specifies you should allow for a maximum password length of at least 64 characters.
Allowing special characters in passwords also promotes increased security. NIST SP 800-63-3 requires systems permit passwords to incorporate any ASCII or Unicode character (even emojis). Spaces are also supported to enable passphrases, though systems may truncate double spaces. The guidelines prohibit sequential or repeating characters (like 3456 or zzzz) and prohibit dictionary words. Users must avoid putting the name of the website itself in their passwords. Most importantly, systems should utilize special software to check a proposed password against a slew of previously exposed passwords from past breaches. This circumvents the common hacker practice of trying known password lists in new settings.
Other rules from the NIST encourage automated systems that increase security. Password fields must now allow a user to paste text in via a device’s copy-and-paste feature. This enables compatibility with password managers which have numerous security benefits. In addition, stored passwords must be hashed and salted rather than saved as plaintext. Even if a hacker manages to steal password data, this ensures they won’t be able to read it.
Finally, password hints have long been a weak link in cybersecurity. In the past, users set hints for themselves that virtually gave away the password—defeating the purpose of having a password at all. To prevent this, the new NIST guidelines outlaw password hints altogether. Knowledge-based authentication (KBA)—such as questions like, “What street did you grow up on?” or “Who was your best friend in high school?”—are also no longer allowed. The answers are too easy to figure out, especially in today’s age of public social media.
Making Passwords Easier for Users
Any MSP knows passwords cause some of the most common user complaints. For years, best practices called for lengthy passwords with special characters, both upper- and lowercase letters, and numbers. On top of this, users had to change passwords every few months. Unsurprisingly, the combination of unique characters and constant updating made these passwords almost impossible to remember. Users resorted to risky techniques like saving passwords in text files, writing them down on notepads at their desks, or picking obvious passwords that nevertheless met the minimum requirement (such as Password1!).
NIST SP 800-63-3 now recognizes these rules were self-defeating. The new guidelines instead aim to make passwords both user-friendly and secure. The guidelines removed password complexity requirements, and special characters and numbers are no longer needed. The new goal is to have passwords that are easier to remember, yet harder to guess.
It might excite users to hear—they’re no longer required to change their passwords on a regular basis. Users can use a password that is sufficiently strong indefinitely—unless and until it’s compromised in a data breach. This element of the guidelines will likely make the biggest difference in helping users remember their passwords.
- Cybersecurity Tip #8: Observe Password Best Practices
- How to Build Password Policies for Your Customers
- Your MSP Needs a Password Manager
SolarWinds® adds Passportal suite to its MSP product portfolio. MSP security, simplified. SolarWinds® Passportal + Documentation Manager is a SOC 2 certified, RAPID 7 tested, award winning platform.
Grow your business faster with the world's first unified platform for true password management and secure IT documentation. More than 2,000 best-in-class MSPs around the world are leveraging our security, automation, and rapid access client knowledge to out preform the competition.